Domain Name System (DNS)

Workload location	Root and organization workloads
Audit log source	Kubernetes audit logs
Audited operations	Update a zone Create or delete a DNSSEC key Change a DNSSEC key (ZSK or KSK) for signing records in a DNS zone

Update a zone

Fields in the log entry that contain audit information
Audit metadata	Audit field name	Value
User or service identity	`user.username`	For example, "user":{ "username": "dns@example.com" }
Target (Fields and values that call the API)	`requestURI`	`"requestURI":"/api/v1/namespaces/dns-system/configmaps/gpc-coredns-external-zonefile"`
Action (Fields containing the performed operation)	`verb`	`"verb":"update"`
Event timestamp	`ts`	For example, `"ts":2022-11-11T22:02:02.074Z`
Source of action	`sourceIPs`	For example, `"sourceIPs":["10.142.5.147"]`
Outcome	`responseStatus.code`	For example, "responseStatus":{ "code":200 }
Other fields	`annotations` `objectRef`	For example, "annotations":{ "authorization.k8s.io/decision":"allow" }, "objectRef":{ "resourceVersion":"697063", "uid":"aed2e6f7-ca03-4bcd-9c07-167ccd4da88e", "apiVersion":"v1", "resource":"configmaps", "apiGroup":"UNKNOWN", "namespace":"dns-system", "name":"gpc-coredns-external-zonefile" }

Example log

{
  "_gdch_cluster":"root-admin",
  "_gdch_fluentbit_pod":"anthos-audit-logs-forwarder-7s769",
  "_gdch_service_name":"apiserver",
  "annotations":{
    "authorization.k8s.io/decision":"allow",
    "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"dns-core-controllers-rolebinding\" of ClusterRole \"dns-core-controllers-role\" to ServiceAccount \"dns-core-controller-sa/dns-system\"",
    },
  "apiVersion":"audit.k8s.io/v1",
  "auditID":"ba0344d7-283f-4d79-aabc-e083al9b053a",
  "kind":"Event",
  "level":"Metadata",
  "objectRef":{
    "resourceVersion":"697063",
    "uid":"aed2e6f7-ca03-4bcd-9c07-167ccd4da88e",
    "apiVersion":"v1",
    "resource":"configmaps",
    "apiGroup":"UNKNOWN",
    "namespace":"dns-system",
    "name":"gpc-coredns-external-zonefile"
    },
  "requestReceivedTimestamp":"2022-11-11T22:02:02.034688Z",
  "requestURI":"/api/v1/namespaces/dns-system/configmaps/gpc-coredns-external-zonefile",
  "responseStatus":{
    "metadata":{},
    "code":200
    },
  "sourceIPs":["10.142.5.147"],
  "stage":"ResponseComplete",
  "stageTimestamp":"2022-11-11T22:02:02.045045Z",
  "ts":2022-11-11T22:02:02.074Z,
  "tsNs":1668204122074601081,
  "user":{
    "uid":"08f727c9-5e3d-403f-bf35-06ef53f9832c",
    "groups":[
      "system:serviceaccounts",
      "system:serviceaccounts:dns-system",
      "system:authenticated"
      ],
    "username": "system:serviceaccount:dns-system:dns-core-controller-sa",
    "extra": {
      "authentication.kubernetes.io/pod-name":["dns-core-controller-58c4646858-z8kmr"],
      "authentication.kubernetes.io/pod-uid":["7cfc9b72-aacc-4e86-b43f-016498055230"]
      }
    },
  "userAgent":"controller-manager/v0.0.0 (linux/amd64) kubernetes/$Format",
  "verb":"update"
}

Create or delete a DNSSEC key

Fields in the log entry that contain audit information
Audit metadata	Audit field name	Value
User or service identity	`user.username`	For example, "user":{ "username": "dns@example.com" }
Target (Fields and values that call the API)	`requestURI`	`"requestURI":"/api/v1/namespaces/dns-system/secrets/gpc-coredns-external-ksks"`
Action (Fields containing the performed operation)	`verb`	`"verb":"update"`
Event timestamp	`ts`	For example, `"ts":2022-11-11T22:02:02.074Z`
Source of action	`sourceIPs`	For example, `"sourceIPs":["10.142.5.147"]`
Outcome	`responseStatus.code`	For example, "responseStatus":{ "code":200 }
Other fields	`annotations` `objectRef`	For example, "annotations":{ "authorization.k8s.io/decision":"allow" }, "objectRef":{ "resource": "secrets", "namespace":"dns-system", "uid":"9a9c16ca-3601-4bc9-8683-629a61ea5234", "apiVersion":"v1", "resourceVersion":"825911", "apiGroup":"UNKNOWN", "name":"gpc-coredns-external-ksks" }

Example log

{
  "_gdch_cluster":"root-admin",
  "_gdch_fluentbit_pod":"audit-logs-forwarder-t15kb",
  "_gdch_service_name":"apiserver",
  "annotations":{
    "authorization.k8s.io/decision":"allow",
    "authorization.k8s.io/reason":"RBAC: allowed by RoleBinding 'dns@example.com-dns-key-manager/dns-system' of Role 'dns-key-manager' to User 'dns@example.com'"
    },
  "apiVersion":"audit.k8s.io/v1",
  "auditID":"87d3d836-b5a2-487a-8480-bc8078c5b248",
  "kind":"Event",
  "level":"Metadata",
  "objectRef":{
    "resource": "secrets",
    "namespace":"dns-system",
    "uid":"9a9c16ca-3601-4bc9-8683-629a61ea5234",
    "apiVersion":"v1",
    "resourceVersion":"825911",
    "apiGroup":"UNKNOWN",
    "name":"gpc-coredns-external-ksks"
    },
  "requestReceivedTimestamp":"2022-11-11T22:02:02.034688Z",
  "requestURI":"/api/v1/namespaces/dns-system/secrets/gpc-coredns-external-ksks",
  "responseStatus":{
    "metadata":{},
    "code":200
    },
  "sourceIPs":["10.142.5.147"],
  "stage":"ResponseComplete",
  "stageTimestamp":"2022-11-11T22:02:02.045045Z",
  "ts":2022-11-11T22:02:02.074Z,
  "tsNs":1668204122074601081,
  "user":{
    "groups":[
      "system: authenticated"
      ],
    "username": "dns@example.com"
    },
  "userAgent":"gdcloud/v0.0.0 (linux/amd64) kubernetes/$Format",
  "verb":"update"
}

Change a DNSSEC key

Fields in the log entry that contain audit information
Audit metadata	Audit field name	Value
User or service identity	`user.username`	For example, "user":{ "username": "dns@example.com" }
Target (Fields and values that call the API)	`requestURI`	`"requestURI":"/api/v1/namespaces/dns-system/configmaps/gpc-coredns-external-corefile"`
Action (Fields containing the performed operation)	`verb`	`"verb":"update"`
Event timestamp	`ts`	For example, `"ts":2022-11-11T22:02:02.074Z`
Source of action	`sourceIPs`	For example, `"sourceIPs":["10.142.5.147"]`
Outcome	`responseStatus.code`	For example, "responseStatus":{ "code":200 }
Other fields	`annotations` `objectRef`	For example, "annotations":{ "authorization.k8s.io/decision":"allow" }, "objectRef":{ "resourceVersion":"758987", "resource":"configmaps", "apiGroup":"UNKNOWN", "name":"gpc-coredns-external-corefile", "apiVersion":"v1", "namespace":"dns-system", "uid":"d831c851-4fa3-4£30-92f6-c68cb36b0a80" }

Example log

{
  "_gdch_cluster":"root-admin",
  "_gdch_fluentbit_pod":"audit-logs-forwarder-8z2rm",
  "_gdch_service_name":"apiserver",
  "annotations":{
    "authorization.k8s.io/decision":"allow",
    "authorization.k8s.io/reason":"RBAC: allowed by RoleBinding 'dns@example.com-dns-key-manager/dns-system' of Role 'dns-key-manager' to User 'dns@example.com'"
    },
  "apiVersion":"audit.k8s.io/v1",
  "auditID":"ba0344d7-283f-4d79-aabc-e083al9b053a",
  "kind":"Event",
  "level":"Metadata",
  "objectRef":{
    "resourceVersion":"758987",
    "resource":"configmaps",
    "apiGroup":"UNKNOWN",
    "name":"gpc-coredns-external- corefile",
    "apiVersion":"v1",
    "namespace":"dns-system",
    "uid":"d831c851-4fa3-4£30-92f6-c68cb36b0a80"
    },
  "requestReceivedTimestamp":"2022-11-11T22:02:02.034688Z",
  "requestURI":"/api/v1/namespaces/dns-system/configmaps/gpc-coredns-external-corefile",
  "responseStatus":{
    "metadata":{},
    "code":200
    },
  "sourceIPs":["10.142.5.147"],
  "stage":"ResponseComplete",
  "stageTimestamp":"2022-11-11T22:02:02.045045Z",
  "ts":2022-11-11T22:02:02.074Z,
  "tsNs":1668204122074601081,
  "user":{
    "groups":[
      "system: authenticated"
      ],
    "username": "dns@example.com"
    },
  "userAgent":"gdcloud/v0.0.0 (linux/amd64) kubernetes/$Format",
  "verb":"update"
}